Announcement Announcement Module
Collapse
No announcement yet.
Spring 3.0 NTLM error Not a Type 3 Message Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring 3.0 NTLM error Not a Type 3 Message

    Below are the relevant excerpts from my Spring configuration. I'm not a NTLM expert, I've read all of the relevant documentation and searched for the error and nothing I have tried seems to get past the error. I am hitting the app as a user A, but the only valid login is Login B,I get the login page and I try to login with user B credentials, but I get the Type 3 message error at that point. Does anyone have any ideas?

    ...
    <security:http use-expressions="true" auto-config='false'
    realm="cip" entry-point-ref="ntlmProcessingFilterEntryPoint">



    <security:custom-filter position="NTLM_FILTER " ref="ntlmProcessingFilter" />



    ...

    <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider
    ref="ntlmAuthProvider" user-service-ref="userDetailsService" />
    <!--<security:authentication-provider
    ref="ldapAuthProvider" user-service-ref="userDetailsService" />-->
    </security:authentication-manager>




    <!-- =========================================== NTLM Config ================================================== ==== -->


    <bean id="ntlmAuthProvider" class="com.bbvacompass.acegi.NtlmAuthenticationPro vider">
    <constructor-arg>
    <ref local="ntlmAwareLdapAuthenticator" />
    </constructor-arg>
    <constructor-arg>
    <ref local="authoritiesPopulator" />
    </constructor-arg>
    <property name="userDetailsContextMapper" ref="userDetailsContextMapper" />
    </bean>



    <!--
    Bind and populate user from NTLM token

    constructor = initial context factory defined above
    userSearch = userSearch defined above
    -->
    <bean id="ntlmAwareLdapAuthenticator" class="org.springframework.security.ui.ntlm.ldap.a uthenticator.NtlmAwareLdapAuthenticator">
    <constructor-arg ref="initialDirContextFactory"/>
    <property name="userSearch" ref="userSearch"/>
    </bean>

    <bean id="ntlmAuthenticationManager" class="org.springframework.security.authentication .ProviderManager">
    <property name="providers">
    <list>
    <ref bean="ntlmAuthProvider" />
    </list>
    </property>
    </bean>


    <bean id="ntlmProcessingFilter" class="org.springframework.security.ui.ntlm.NtlmPr ocessingFilter">
    <property name="defaultDomain" value="CompassNT"/>
    <property name="netbiosWINS" value="${${site}.netbiosWINS}"/>
    <property name="domainController" value="${${site}.domainController}"/>
    <property name="smbClientUsername" ref="serviceAccount"/>
    <property name="smbClientPassword" ref="serviceAccountPassword"/>
    <property name="authenticationManager" ref="ntlmAuthenticationManager"/>
    </bean>



    <bean id="ntlmAccessDeniedHandler" class="org.springframework.security.web.access.Acc essDeniedHandlerImpl">
    <property name="errorPage" value="/login.jsp?failure=true"/>
    </bean>



    <bean id="ntlmProcessingFilterEntryPoint" class="org.springframework.security.ui.ntlm.NtlmPr ocessingFilterEntryPoint">
    <property name="authenticationFailureUrl" value="/login.jsp" />
    </bean>



    <bean id="ntlmExceptionTranslationFilter" class="org.springframework.security.web.access.Exc eptionTranslationFilter">
    <property name="authenticationEntryPoint">
    <ref bean="ntlmProcessingFilterEntryPoint"/>
    </property>
    <property name="accessDeniedHandler">
    <ref bean="ntlmAccessDeniedHandler" />
    </property>
    </bean>





    [9/18/09 6:46:53:314 CDT] 00000029 SystemOut O 06:46:53,314 DEBUG [org.springframework.security.web.context.SecurityC ontextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed
    [9/18/09 6:46:53:361 CDT] 00000029 FFDCJanitor I com.ibm.ws.ffdc.FFDCJanitor doCleanupIfNeeded FFDC0004I: FFDC log file management removed 44 of 44 files that have reached their configured maximum age
    [9/18/09 6:46:53:377 CDT] 00000029 WebApp E [Servlet Error]-[Filter [springSecurityFilterChain]: filter is unavailable.]: java.io.IOException: Not a Type 3 message.
    at jcifs.ntlmssp.Type3Message.parse(Type3Message.java :546)
    at jcifs.ntlmssp.Type3Message.<init>(Type3Message.jav a:208)
    at org.springframework.security.ui.ntlm.NtlmProcessin gFilter.processType3Message(NtlmProcessingFilter.j ava:393)
    at org.springframework.security.ui.ntlm.NtlmProcessin gFilter.doFilter(NtlmProcessingFilter.java:341)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
    at org.springframework.security.web.access.ExceptionT ranslationFilter.doFilter(ExceptionTranslationFilt er.java:98)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
    at org.springframework.security.web.authentication.An onymousProcessingFilter.doFilter(AnonymousProcessi ngFilter.java:110)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
    at org.springframework.security.web.wrapper.SecurityC ontextHolderAwareRequestFilter.doFilter(SecurityCo ntextHolderAwareRequestFilter.java:55)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
    at org.springframework.security.web.savedrequest.Requ estCacheAwareFilter.doFilter(RequestCacheAwareFilt er.java:36)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
    at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:80)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)

  • #2
    Note that NTLM support will be discontinued in Spring Security 3, in favour of kerberos:

    https://jira.springsource.org/browse/SEC-1233

    Comment


    • #3
      Thanks

      Thanks Luke, I had already read that before. I was just hoping that I could get this working temporarily. I guess I need to find a good Kerberos example and find a way to implement it within our organization or use some other mechanism.

      I need Single Sign On with our internal system and it is Active Directory and I am quickly running out of options for making this work without writing an entire solution myself.

      Will the new Kerberos solution work with Active Directory or do we need a second system to proxy the authentication from Kerberos to Active Directory?

      Comment


      • #4
        Yes, it will work with AD. Mike will publish a blog article on it, but he is currently on holiday.

        Comment


        • #5
          Awesome

          That's great. Is there currently any documentation out there on it at all? I'd love to attempt to get it working over the weekend. Just a crude example would be nice. I have a my configuration working with Active Directory, I just need to convert it to utilize Kerberos I guess and I should be good. If I could get it working, I could donate my configuration as an example.

          Comment


          • #6
            There is already a sample application I believe, but the difficult part is in configuring kerberos for your system.

            Comment


            • #7
              Configuring

              I may be SOL. Getting anything configured around here is an act of congress. That may present an issue. Thanks for the information.

              Comment


              • #8
                Well, you can point out that NTLM is less secure and that Kerberos is recommended instead. Kerberos is the default authentication mechanism used by Active Directory these days.

                Comment


                • #9
                  Kerberos Sample

                  Luke - I really need to find that sample application. Where would it be located?

                  Thanks,
                  Chris

                  Comment


                  • #10
                    https://src.springsource.org/svn/se-...rity-kerberos/

                    Comment

                    Working...
                    X